Name

blacklist — Shorewall Blacklist file

Synopsis

/etc/shorewall/blacklist

Description

The blacklist file is used to perform static blacklisting by source address (IP or MAC), or by application. The use of this file is deprecated
and beginning with Shorewall 4.5.7, the file is no longer
installed.

The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).

A dash ("-") in this column means that any source address will
match. This is useful if you want to blacklist a particular
application using entries in the PROTOCOL and PORTS columns.

PROTOCOL (proto) - {-|[!]protocol-number|[!]protocol-name}

Optional - If specified, must be a protocol number or a
protocol name from protocols(5).

PORTS - {-|[!]port-name-or-number[,port-name-or-number]...}

Optional - may only be specified if the protocol is TCP (6) or
UDP (17). A comma-separated list of destination port numbers or
service names from services(5).

OPTIONS - {-|{dst|src|whitelist|audit}[,...]}

Optional - added in 4.4.12. If specified, indicates whether
traffic from ADDRESS/SUBNET (src) or traffic to
ADDRESS/SUBNET (dst) should be
blacklisted. The default is src. If
the ADDRESS/SUBNET column is empty, then this column has no effect
on the generated rule.

Note

In Shorewall 4.4.12, the keywords from and to were used in
place of src and dst respectively. Blacklisting was still
restricted to traffic arriving on an
interface that has the 'blacklist' option set. So to block traffic
from your local network to an internet host, you had to specify
blacklist on your internal interface in shorewall-interfaces
(5).

Note

Beginning with Shorewall 4.4.13, entries are applied based
on the blacklist setting in
shorewall-zones(5):

'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
from this zone is passed against the entries in this file that
have the src option
(specified or defaulted).

'blacklist' in the OPTIONS or OUT_OPTIONS column.
Traffic to this zone is passed against the entries in this
file that have the dst
option.

In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.

The audit option was also
added in 4.4.20 and causes packets matching the entry to be audited.
The audit option may not be
specified in whitelist entries and require AUDIT_TARGET support in
the kernel and iptables.